Tuesday, 15 February 2011

Day 1 of B-Sides San Francisco

The awesome guys at Security Stack Exchange got me 8000 miles across to blog B-Sides San Francisco, and it is an amazing opportunity to mix with Infosec professionals from various industries.

All my photos from this trip are on my Picasa page.

My highlights from Day 1:

Gone in 60 keystrokes:Dr Mike Lloyd:Red Seal
Sure, this was a vendor presentation, designed to point out a problem which his product solves well, but Mike didn't ram that point home. His presentation was solidly grounded in real world experience. Mike listed common errors which creep in on even the simplest firewall rulesets - incorrect netmasks, a user readable label for an IP address not matching the actual address etc.

In a small ruleset, a visual inspection - going over the printout with a highlighter may
be enough, but for an enterprise firewall, not only do you come across much larger rulesets, but the risk or impact may also be higher.
Mike's guidance - instead of trawling the ruleset manually, focus on outcomes to understand what is happening - what does the network do? Where does information flow? Where is authentication used? Where do 3rd parties connect?

Security, Supply Chains and You:Hart Rossman:SAIC
Another good real world talk. Hart provided excellent detail on a variety of areas where supply chain errors will impact a business - nothing new, but solid examples of what goes wrong.

Screw The TSA - I'll Be Where I Want And Get Credit For It:Ray Kelly:Barracuda Networks
Location based social networking - how does it work, how can we exploit it?
Examples include 4square, MeetMoi (a seriously creepy stalking location based dating tool) and Ratio Finder (an app which uses 4square - checks where most women and men are...)
The problem with these apps is the same old one: they trust the browser to send correct data. As an example, 4square sends a variable called VID, along with location coordinates. The only check on 4square seems to be a quick validation on speed (eg if I check in in the UK, and then check in in the US 5 minutes later it won't believe I am there. It will let me check in, but not credit me with really being there)
So why is this interesting?
  • To provide an alibi? Maybe.
  • To create a perception of your lifestyle? Possible.
  • To get free stuff? Definitely: More and more retail outlets provide freebies and giveaways to people who check in - simple win: google for a 4square giveaway, check in and collect.

Letting Someone Else's Phone Ring At 3am: Building Robust Incident Management Frameworks:Andy Ellis:Akamai
As Akamai has an extremely large network, and a vast number of clients depending on uptime and performance, managing outages or loads quickly and efficiently is important. The key, according to Andy, is to minimise those things which can impact the response - human error, tiredness, lack of knowledge, lack of understanding, lack of key contacts etc.
Initial thoughts
  • Automate tools in advance
  • Be prepared for things to break
  • Get to the best person as quickly as possible
  • Segregate response functions to avoid neural congestion
  • Design to scale up and down
  • Learn from your mistakes
3 'standing' conference bridges are used for incidents so main one does not get clogged.
To get the best people on the incident, Akamai encourage self-reliance and delegated responsibilities by training throughout. All development managers are given responsibility for fixing their own area, and are provided training to support this.
During an incident, crisis managers are allowed to bypass controls in order to solve the problem quickly.
Common context has been defined, so all can understand severity (4 severity levels)
4 phases are also used:
  1. it's broken (minutes count)
  2. it's bandaged (hours count)
  3. it's fixed (days count)
  4. learn from it
Each incident has Noc technician. They get platform exec or SME. Each team has to provide a list of folks to call, and the order to call them in.
Multiple roles are avoided. Roles are handed off after 4-9 hours to allow team members to rest. Unnecessary team members are dismissed from the team.
Vulnerabilities and projects are tracked and measured.
Learning at all levels - system owner (what do I fix), directors (How do I stop this sort of thing happening again), c-level (What trends need to be dealt with)

The Afterparty was also a great success, with DualCore keeping the crowd entertained until the early hours.

After that, the hardcore crowd ended up at Denny's, talking security, politics, gun control and the early hacking scene, as well as the Security Stack Exchange concept and my band's nomination for an award (seriously folks - get over to www.sama11.co.uk and vote for Metaltech :-)

3 hours sleep - but I'm really looking forward to Day 2!

No comments:

Post a comment